A cyber campaign that initially centered on exploiting Microsoft SharePoint vulnerabilities has reportedly taken a worrying turn, with ransomware now becoming a key component.
The operation is thought to be carried out by a group known as “Storm-2603,” and has already affected at least 400 victims, a figure that may be significantly underestimated. Microsoft revealed this development in a blog post on Wednesday evening, describing it as a transition from earlier cyber-espionage efforts.
Ransomware Now Part Of Breach Strategy
According to Microsoft, Storm-2603 is exploiting a known vulnerability in older versions of SharePoint Server to deliver ransomware payloads. Earlier incursions were more aligned with traditional espionage methods, but this new wave aims to paralyse systems and demand payment. “Expanded analysis and threat intelligence” led to this discovery, the company said.
This marks a substantial rise in threat level from what was already a serious cybersecurity concern. The Netherlands-based firm Eye Security, among the first to detect the breaches, highlighted a sharp increase in the number of affected organisations.
“There are many more, because not all attack vectors have left artefacts that we could scan for,” said Vaisha Bernard, Eye Security’s chief hacker.
US Public Agencies Among Targets
Reports now indicate that a number of US government agencies have been hit by the campaign. The National Institutes of Health confirmed that one of its servers had been breached and that additional systems were quarantined as a precaution. Media outlets including NextGov and Politico reported that the Department of Homeland Security and several other agencies were also impacted.
While the Cybersecurity and Infrastructure Security Agency (CISA) has yet to offer comment, the breadth of these breaches is a cause for concern. Microsoft has not indicated whether it will publish further details on the ransomware component.
Chinese‑Linked Hackers Accused
The incident stemmed from Microsoft’s inability to fully patch a critical flaw in SharePoint Server, which allowed malicious actors to gain unauthorised access. Microsoft and Google’s parent company Alphabet have attributed the exploitation of this flaw to Chinese‑linked hackers. The Chinese government has denied any involvement.
By incorporating ransomware into their tactics, Storm‑2603 demonstrates how attackers can shift from politically motivated espionage to financially driven operations. As this story develops, organisations are being strongly urged to apply updates promptly and check systems for signs of unauthorised access.
